Workspot supports multiple Virtual Private Cloud networks (VPCs) as if they were a single network. This feature is available for Google GCP. See Google’s article on Shared VPC.
Highlights
Allows different projects in the same Cloud to communicate with each other.
Available to all Workspot GCP customers.
GCP Configuration Overview
Two approaches are possible for VPC access:
All subnets access. Making all subnets in the GCP host project accessible to your Workspot deployment. This is the recommended option.
Individual subnets access. Making only selected subnets available to the Workspot deployment. If this option is used, Control cannot assign or track Public IP addresses, which means Workspot Managed Gateways can only be created with assistance from Workspot Support.
Configuring the All Subnets Access Option
This is the recommended option. This approach has the following characteristics:
All subnets in the Service Projects associated with the Host Project are shared; any permissions settings for the subnets are ignored.
A custom role is used by the Service Account to allow Control to manage the necessary features.
Host Project/Service Account Permissions
Host Project, The Service Account for the Host Project must use custom GCP permissions for Shared VPCs to work. Items in bold are in addition to the default permissions:
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.use
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.projects.get
compute.regionOperations.get
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
Service Projects. GCP service projects used by the Shared VPC must also set compute.projects.get.
Create Permissions (First Option)
Add a new IAM Principal in the GCP Console at “Shared VPC > Subnet Access > All subnets access > Project Level Permissions > Add Principal.”
Name the new Principal (we used“SharedVPC”) and give it the permissions from the list above.
Verify the results on the IAM page.
Create Permissions (Second Option)
You can also use the IAM page to set the permissions.
Go to “IAM > Permissions > View by Principals > Grant Access”.
Add permissions from the list above.
This will also set shared VPC project-level permissions with the same user and role.
Configuring the All Subnets Access Option
Note: This option has limited functionality and requires intervention by Workspot to get your Managed Gateways running.
This option does not allow a custom role to be used but requires the “Compute Network User” role. The limited permissions of this role limit Workspot Control’s capabilities.
With this option you can share selected subsets of the subnets, not all subnets.
Add Principal with Subnet-Level Access
Contact Workspot to ask for advice and assistance with your public IP addresses before proceeding.
Go to “Shared VPC > Subnet Access > Individual Subnet Access > Select Subnets to Share > Add Principal.”
Create the Principal with the “Compute Nework User” role.
Select the subnets to share.
Control Configuration
Shared VPC adds two additional fields to the Add Public Cloud pages (which are otherwise the same as before): Use Shared VPC and Host Project ID.
Use Shared VPC enables or disabled the Shared VPC feature.
Host Project ID is the GPC project that you have already designated as a Host Project, as described in Google’s Shared VPC document.
Once configured, these settings cannot be changed. Instead, define a new Public Cloud.
Enabling Shared VPC makes the Host Project’s resources available to your Workspot deployment.
All management of the shared project itself is done on GCP.
Using Shared VPCs in Desktop and App Pools
Once Shared VPC is enabled in a given Cloud, only the VPC subnets shared by the Host Project are displayed when creating a template, desktop pool, or app server pool. Select these as usual.
Related Documents
Shared VPC (Google GCP Article).